AIR Wiki : AddClusterUser

HomePage :: Categories :: PageIndex :: RecentChanges :: RecentlyCommented :: Login/Register

Add a User to the VanGogh or Rembrandt Cluster


Below the steps are described which are needed to add a user to the VanGogh or Rembrandt cluster.

Home directory


In general the user home driectory will be located at the rembrandt0 or vangogh0 home directory server, depending on which cluster will be used primarily. This home directory is then mounted on the other nodes using NFS. One the nodes, the home directory will be mounted under [/disk2]/home/<home_server>/<username>, where <home_server> is rembrandt0 or vangogh0. At vangogh0, the home directories are located at /disk2/home/vangogh0/<username>. See NFSHomeDirectories for more information about NFS mounted home directories.

Local home dierctories, often created for service users, will have the format /space/home/<username>.

Local accounts and NIS accounts


At Rembrandt, all nodes have a local /etc/passwd file, while the VanGogh cluster uses a central NIS repository.

All nodes have a local account, defuser, with local home directory and not in NIS. This can be used to log in, even when NFS or NIS is down. It is not possible to use the root account for this, since remote log in for root should be disabled.

Check group and user


Decide the primary group of the user. Usually the group name will be derived from the home institution name of the user.

Check /etc/passwd for a unique user name and ID at the home directory servers. Please note not all user accounts do exist at both clusters, so check this file both at rembrandt0 and vangogh0. If you like, you can use the same user ID as on mremote or the DAS cluster.

Create Users using NIS


On vangogh0:
edit files /var/yp/etc/passwd and /var/yp/etc/group
cd /var/yp; make


Then set a password using
yppasswd <username>


Create home directories by running on vangogh0 (the other nodes mount this using NFS):
rsync -av /etc/skel/ /home/username
chown -R username:group /home/username


SSH Access Control


On Vangogh, you must add a user to one of these groups before he or she can log in:

vangoghs
vangogh0
vangogh1
vangogh2
vangogh3
vangogh4
vangogh5
vangogh6
vangogh7
vangogh8

edit file /var/yp/etc/group
cd /var/yp; make


Firewall Access Control


The firewall is relatively strict. It is acceptable to open it up for a couple of /24 blocks per institute.

On vangogh0:
edit file /etc/sysconfig/iptables
cp -pi /etc/sysconfig/iptables /data/cfengine/vangogh/trigger/etc/sysconfig/iptables.login
cp -pi /etc/sysconfig/iptables /data/cfengine/vangogh/trigger/etc/sysconfig/iptables.all
/etc/init.d/iptables restart
cfrun_nodes all -DDAILY


sudo access


On vangogh0:
run "visudo" if sudo access is also required for vangogh0
edit file /data/cfengine/vangogh/overlay/global/etc/sudoers
cfrun_nodes all -DDAILY


Create local users


The currently used group names can be found in /etc/group at the home directory servers.
Create the group of the user when the appropriate group does not yet exist at the cluster with the command

# groupadd -g <GID> <user_group>
 


The user account can be created with the script add_cluster_user which is typically started at the home directory server where the home directory of the user should be generated. In an interactive session there will be requested for the user parameters. When possible a default value will be proposed. When that value is fine only a return should be pressed. The proposed default values can be found in the configuration file /usr/local/etc/default/add_cluster_user. See the man page for more information.

Then all parameters have been specified useradd has been called with the appropriate parameters to create the user account (and the home directory when selected). Finally a command line has been printed that can be used to generate the user at the other cluster hosts without interactive intervention. This works only well when the /usr/local/etc/default/add_cluster_user has been configured identical for all VanGogh and Rembrandt cluster hosts and other parameters like for instance shell paths are comparible.

Below the output of an example session has been listed. The option -n implies that the used command are listed but not executed. With this option add_cluster_user can also be run by non-root users to get an impression of the executed system commands.

rembrandt0> /usr/local/sbin/add_cluster_user -n
User? auser
Full name / Description? A. User (auser@nothing.nowhere)
User ID? 54321
Group / GID [ii]? nothing
Auto home server (none: -) [vangogh0]? rembrandt0
Home directory [/home/rembrandt0/auser]?
Use default value: /home/rembrandt0/auser.
Create home {y,n} [y]?
Use default value: y.
Shell [/bin/tcsh]?
Use default value: /bin/tcsh.

Command to add user:
    useradd -c A. User (auser@nothing.nowhere) -d /home/rembrandt0/auser -m -k /etc/skel -g nothing -s /bin/tcsh -u 54321 auser

Clone this user at the cluster with the command:

add_cluster_user -D -n -c 'A. User (auser@nothing.nowhere)' -g nothing -S rembrandt0 -u 54321 auser
rembrandt0>


At for instance home vangogh0 the execution of the add_cluster_user -D ... command is:

vangogh0> /usr/local/sbin/add_cluster_user -D -n -c 'A. User (auser@nothing.nowhere)' -g nothing -S rembrandt0 -u 54321 auser
User: auser.
Full name / Description: A. User (auser@nothing.nowhere).
User ID: 54321.
Group / GID: nothing.
Auto home server (none: -): rembrandt0.
Home directory: /home/rembrandt0/auser.
Create home {y,n}: n.
Shell: /bin/tcsh.

Command to add user:
    useradd -c A. User (auser@nothing.nowhere) -d /home/rembrandt0/auser -g nothing -s /bin/tcsh -u 54321 auser

Clone this user at the cluster with the command:

add_cluster_user -D -n -c 'A. User (auser@nothing.nowhere)' -g nothing -S rembrandt0 -u 54321 auser
vangogh0>


User SSH keys


When the user had supplied a ssh public key it can be installed for instance with the following commands:

# su - auser
> mkdir .ssh
> chmod go-rx .ssh
> touch .ssh/authorized_keys
> chmod go-r .ssh/authorized_keys
> vi .ssh/authorized_keys   # To add the key
 


Alternatively the user password can set with the command passwd <username>, or the encrypted password can be set directly in /etc/shadow with the command vipw -s (Debian) or vipw (RedHat). In the latter case /etc/passwd should be explicitely written such that there will be asked if the shadow file should be edited. Please note that also encrypted passwords in the short and long form can be used.

For a user that also possesses an account at one of the faculty hosts the encrypted password can be obtained from NIS as a regular user with the command: ypcat passwd | grep <username>.

Local storage


Users can also obtain local storage at the cluster hosts in the directory /space/user/<username>. These directories could be generated and made accessible for the user with the following commands:

# mkdir /space/user/auser
# chown auser:nothing /space/user/auser
# su - auser
> ln -s /space/user/auser space


The symbolic link command in the home directory of the user should of course only be run once.

Nettest group s-bit access


Access to some network test programs, from which the s-bit has been enabled and which can only be run by members of the nettest group, can be accessed by making the new user also a member of that group. This can be done by editing /etc/group with the vigr command and adding the user to the line:

nettest:x:10000:root,auser,....

There are no comments on this page. [Add comment]

Edit :: Page History :: 2007-02-27 10:36:19 XML :: Owner: HansBlom :: Search:
Valid XHTML 1.0 Transitional :: Valid CSS :: Powered by Wikka Wakka Wiki 1.1.6.0
Page was generated in 0.0850 seconds